[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pam_console for debian

On Fri, Jul 26, 2002 at 12:30:11PM +0200, Russell Coker wrote:
> That wouldn't work.  Someone who has logged in can run a proxy process that 
> listens on a TCP socket and then performs access to the device as specified 
> by a remote user on the net.

Yes. I knew I had forgotten something...

> The thing to do with SE Linux to solve this properly is have the login 
> process change the type of the device node to something the user can access, 
> and then change it back to something else when they logout (also it would be 
> changed when someone else logs in to the console - in case the logout process 
> was interupted somehow).

Sounds like a good solution.

> Changing the type in SE Linux immediately prevents all further access to the 
> open file handle unless the domain in question is permitted such access.

Could that be a problem if the user is already in middle of the
transaction?

eg. user program sends request to camera "get file", camera sends data
back, user program gets denied access while transferring data, what
happens to the data getting sent back?
-- 
Brian May <bam@debian.org>


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: